CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Description
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7
CVEs mapped to this weakness (10,236)
page 78 of 512| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-30839 | Cri | 0.57 | 9.9 | 0.02 | Apr 25, 2023 | PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this… | ||
| CVE-2022-4935 | Hig | 0.57 | 8.8 | 0.01 | Apr 5, 2023 | The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions… | ||
| CVE-2023-1471 | Hig | 0.57 | 8.8 | 0.01 | Mar 17, 2023 | The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it… | ||
| CVE-2023-24789 | — | Hig | 0.57 | 8.8 | 0.01 | Mar 6, 2023 | jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component. | |
| CVE-2023-25158 | Cri | 0.57 | 9.8 | 0.01 | Feb 21, 2023 | GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters… | ||
| CVE-2022-38867 | — | Hig | 0.57 | 8.8 | 0.01 | Feb 15, 2023 | SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, 4.0.2, and 4.4.x in api.go, allows attackers to execute arbitrary code. | |
| CVE-2022-45090 | Hig | 0.57 | 8.8 | 0.01 | Feb 12, 2023 | Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. | ||
| CVE-2022-45089 | Hig | 0.57 | 8.8 | 0.01 | Feb 12, 2023 | Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. | ||
| CVE-2023-24163 | — | Cri | 0.57 | 9.8 | 0.01 | Jan 31, 2023 | SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine. | |
| CVE-2020-22452 | Cri | 0.57 | 9.8 | 0.02 | Jan 26, 2023 | SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. | ||
| CVE-2022-47105 | — | Cri | 0.57 | 9.8 | 0.01 | Jan 19, 2023 | Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData. | |
| CVE-2023-22727 | Cri | 0.57 | 9.8 | 0.01 | Jan 17, 2023 | CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10.… | ||
| CVE-2022-3751 | Cri | 0.57 | 9.8 | 0.01 | Nov 29, 2022 | SQL Injection in GitHub repository owncast/owncast prior to 0.0.13. | ||
| CVE-2022-45207 | — | Cri | 0.57 | 9.8 | 0.01 | Nov 25, 2022 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString. | |
| CVE-2022-45206 | — | Cri | 0.57 | 9.8 | 0.01 | Nov 25, 2022 | Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check. | |
| CVE-2022-38148 | — | Hig | 0.57 | 8.8 | 0.01 | Nov 21, 2022 | Silverstripe silverstripe/framework through 4.11 allows SQL Injection. | |
| CVE-2022-4093 | Cri | 0.57 | 9.8 | 0.04 | Nov 21, 2022 | SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and… | ||
| CVE-2022-42120 | — | Cri | 0.57 | 9.8 | 0.01 | Nov 15, 2022 | A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute. | |
| CVE-2022-37333 | — | Hig | 0.57 | 8.8 | 0.01 | Aug 24, 2022 | SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated attackers to execute… | |
| CVE-2022-31181 | Cri | 0.57 | 9.8 | 0.05 | Aug 1, 2022 | PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised… |
- risk 0.57cvss 9.9epss 0.02
PrestaShop is an Open Source e-commerce web application. Versions prior to 8.0.4 and 1.7.8.9 contain a SQL filtering vulnerability. A BO user can write, update, and delete in the database, even without having specific rights. PrestaShop 8.0.4 and 1.7.8.9 contain a patch for this…
- risk 0.57cvss 8.8epss 0.01
The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions…
- risk 0.57cvss 8.8epss 0.01
The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it…
- risk 0.57cvss 8.8epss 0.01
jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injection vulnerability via the building block report component.
- risk 0.57cvss 9.8epss 0.01
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters…
- risk 0.57cvss 8.8epss 0.01
SQL Injection vulnerability in rttys versions 4.0.0, 4.0.1, 4.0.2, and 4.4.x in api.go, allows attackers to execute arbitrary code.
- risk 0.57cvss 8.8epss 0.01
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.
- risk 0.57cvss 8.8epss 0.01
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01.
- risk 0.57cvss 9.8epss 0.01
SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.
- risk 0.57cvss 9.8epss 0.02
SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php.
- risk 0.57cvss 9.8epss 0.01
Jeecg-boot v3.4.4 was discovered to contain a SQL injection vulnerability via the component /sys/dict/queryTableData.
- risk 0.57cvss 9.8epss 0.01
CakePHP is a development framework for PHP web apps. In affected versions the `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. This issue has been fixed in 4.2.12, 4.3.11, 4.4.10.…
- risk 0.57cvss 9.8epss 0.01
SQL Injection in GitHub repository owncast/owncast prior to 0.0.13.
- risk 0.57cvss 9.8epss 0.01
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component updateNullByEmptyString.
- risk 0.57cvss 9.8epss 0.01
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.
- risk 0.57cvss 8.8epss 0.01
Silverstripe silverstripe/framework through 4.11 allows SQL Injection.
- risk 0.57cvss 9.8epss 0.04
SQL injection attacks can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have been the result of SQL injection attacks, leading to reputational damage and…
- risk 0.57cvss 9.8epss 0.01
A SQL injection vulnerability in the Fragment module in Liferay Portal 7.3.3 through 7.4.3.16, and Liferay DXP 7.3 before update 4, and 7.4 before update 17 allows attackers to execute arbitrary SQL commands via a PortletPreferences' `namespace` attribute.
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerability in the Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows remote authenticated attackers to execute…
- risk 0.57cvss 9.8epss 0.05
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised…